mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-03-20 20:16:58 +08:00
38 lines
1.3 KiB
Plaintext
38 lines
1.3 KiB
Plaintext
First go at a certbot/letsencrypt role for Fedora Infra
|
|
|
|
To use it:
|
|
|
|
1) Include the role in your playbook. This will install certbot and put a
|
|
tiny bit of Apache config in place, along with a monthly cron to attempt to
|
|
renew certificates.
|
|
2) Add the following lines to your Apache virthost:
|
|
|
|
RewriteEngine on
|
|
RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
|
|
|
|
2) ssh to the relevant box
|
|
|
|
# TODO: Fix selinux stuff - the cron won't work until it's fixed either.
|
|
service httpd graceful
|
|
setenforce 0
|
|
certbot certonly --manual-public-ip-logging-ok --webroot -w \
|
|
/srv/web/acme-challenge/ -d YOURINSTANCE.fedorainfracloud.org
|
|
setenforce 1
|
|
|
|
3) Add your SSL VirtualHost. An Ansible template with something like this
|
|
should possibly work:
|
|
|
|
<VirtualHost {{public_ip}}:443 _default_:443>
|
|
ServerName YOURINSTANCE.fedorainfracloud.org
|
|
|
|
SSLEngine on
|
|
SSLCertificateFile /etc/letsencrypt/live/YOURINSTANCE.fedorainfracloud.org/cert.pem
|
|
SSLCertificateKeyFile /etc/letsencrypt/live/YOURINSTANCE.fedorainfracloud.org/privkey.pem
|
|
SSLCertificateChainFile /etc/letsencrypt/live/YOURINSTANCE.fedorainfracloud.org/fullchain.pem
|
|
SSLHonorCipherOrder On
|
|
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
|
|
SSLProtocol ALL -SSLv2
|
|
|
|
<!-- Your actual config goes here! -->
|
|
</VirtualHost>
|